Self Signed Cert Questions
-
A self-signed certificate created via IIS will only work for "localhost". If you want to create a self-signed cert for a different host, you'll need to specify the common name for it. For example, in Powershell:
New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
New-SelfSignedCertificate (pki) | Microsoft Docs[^] If you're planning on accessing the API from outside of your own network, you'll want a real cert for a real external hostname. Assuming the DNS resolves correctly, you can probably use Let's Encrypt[^] to get a free cert.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I have my my server and a couple of Dev PC's sitting here. What I'd like is to test my app from multiple PC's all on my network. This will work for what I'm looking for? Thanks
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
A self-signed certificate created via IIS will only work for "localhost". If you want to create a self-signed cert for a different host, you'll need to specify the common name for it. For example, in Powershell:
New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
New-SelfSignedCertificate (pki) | Microsoft Docs[^] If you're planning on accessing the API from outside of your own network, you'll want a real cert for a real external hostname. Assuming the DNS resolves correctly, you can probably use Let's Encrypt[^] to get a free cert.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks for the info.
Richard Deeming wrote:
If you want to create a self-signed cert for a different host
I'n not sure what 'host' means here. I'm not sure what the host is. I'm trying to connect from my Dev PC to my server via IP address (192.168.###.###).
Richard Deeming wrote:
PowerShellCopy Code New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
I would run this on the server? Sorry, I've only set this up one and it was 10+ yeas ago.
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
Thanks for the info.
Richard Deeming wrote:
If you want to create a self-signed cert for a different host
I'n not sure what 'host' means here. I'm not sure what the host is. I'm trying to connect from my Dev PC to my server via IP address (192.168.###.###).
Richard Deeming wrote:
PowerShellCopy Code New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
I would run this on the server? Sorry, I've only set this up one and it was 10+ yeas ago.
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
The host is the name you're connecting to - typically the part between
http(s)://and the port number or path. For example, when you connect to CodeProject, the host is "www.codeproject.com". Yes, you would need to run the Powershell to generate the cert on the server.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
The host is the name you're connecting to - typically the part between
http(s)://and the port number or path. For example, when you connect to CodeProject, the host is "www.codeproject.com". Yes, you would need to run the Powershell to generate the cert on the server.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I'm connecting from within my network via IP. So for the cert the hostname would be 192.168.###.###?
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
I'm connecting from within my network via IP. So for the cert the hostname would be 192.168.###.###?
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
That should work, but I've never tried binding a cert to an IP address. Is there some reason you can't use the host name instead?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
That should work, but I've never tried binding a cert to an IP address. Is there some reason you can't use the host name instead?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I guess I could. But I would be making one up as I have no host name. Could I just use "www.mysite.com"?
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
I guess I could. But I would be making one up as I have no host name. Could I just use "www.mysite.com"?
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
Yes, if you can edit the
hostsfile on the machine that's making the connection. Otherwise, just use the name of the machine you're connecting to.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Yes, if you can edit the
hostsfile on the machine that's making the connection. Otherwise, just use the name of the machine you're connecting to.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
OK, so I can do:
New-SelfSignedCertificate -DnsName "marois_dev_1" -CertStoreLocation "cert:\LocalMachine\My"
where marois_dev_1 is my server name? and run this in PowerShell on my server. Then use that cert in IIS on my server?
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
Yes, if you can edit the
hostsfile on the machine that's making the connection. Otherwise, just use the name of the machine you're connecting to.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
OK, so I can do:
New-SelfSignedCertificate -DnsName "marois_dev_1" -CertStoreLocation "cert:\LocalMachine\My"
where marois_dev_1 is my server name? and run this in PowerShell on my server. Then use that cert in IIS on my server?
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
Yes, that should work.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
That would only work if your client was running on the server. The
localhostname and the loopback address always point to the current computer.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
A self-signed certificate created via IIS will only work for "localhost". If you want to create a self-signed cert for a different host, you'll need to specify the common name for it. For example, in Powershell:
New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
New-SelfSignedCertificate (pki) | Microsoft Docs[^] If you're planning on accessing the API from outside of your own network, you'll want a real cert for a real external hostname. Assuming the DNS resolves correctly, you can probably use Let's Encrypt[^] to get a free cert.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
Can you clarify the -CertStoreLocation here? I don't understand where the cert was created? Thank you
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
Richard Deeming wrote:
New-SelfSignedCertificate -DnsName "your-host-name" -CertStoreLocation "cert:\LocalMachine\My"
Can you clarify the -CertStoreLocation here? I don't understand where the cert was created? Thank you
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
It's created in the "computer account" certificate store, under the "Personal" folder. It won't appear in
certutil.msc; you'll need to open up MMC, add the certificates snap-in, and select "computer account".
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
It's created in the "computer account" certificate store, under the "Personal" folder. It won't appear in
certutil.msc; you'll need to open up MMC, add the certificates snap-in, and select "computer account".
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard, thanks for your help so far, however, I'm still stuck on this and could use some more help. Here's what I;ve done so far: 1 - Created a self-signed cert. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgjIjxa4aANDC90v?e=1RlBuD) 2 - The Cert appears in the cert store. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgYhLXfbTynXuPJn?e=kjN7sp) 3 - The cert appears in IIS. [here](https://1drv.ms/u/s!AlkRTpT49yCMmgebyjXbM1cp629-?e=l6PIVs) 4 - Add the API in IIS using the cert. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgXPTh4iuqJFvwC1?e=wPINDg) 5 - Browse the site in IIS. I still get the cert error. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgQ2QlVeta149Zu4?e=eDyG9i) I'm guessing that I'm still missing something.
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
Richard, thanks for your help so far, however, I'm still stuck on this and could use some more help. Here's what I;ve done so far: 1 - Created a self-signed cert. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgjIjxa4aANDC90v?e=1RlBuD) 2 - The Cert appears in the cert store. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgYhLXfbTynXuPJn?e=kjN7sp) 3 - The cert appears in IIS. [here](https://1drv.ms/u/s!AlkRTpT49yCMmgebyjXbM1cp629-?e=l6PIVs) 4 - Add the API in IIS using the cert. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgXPTh4iuqJFvwC1?e=wPINDg) 5 - Browse the site in IIS. I still get the cert error. [Here](https://1drv.ms/u/s!AlkRTpT49yCMmgQ2QlVeta149Zu4?e=eDyG9i) I'm guessing that I'm still missing something.
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
Your OneDrive links all return "Something went wrong" errors for me. What's the text of the error message?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Your OneDrive links all return "Something went wrong" errors for me. What's the text of the error message?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
"There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address The security certificate presented by this website was not issued by a trusted certificate authority"
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
"There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address The security certificate presented by this website was not issued by a trusted certificate authority"
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
Kevin Marois wrote:
The security certificate presented by this website was not issued by a trusted certificate authority"
Which is to be expected when you're using a self-signed certificate; it wasn't issued by a trusted certificate authority.
Kevin Marois wrote:
The security certificate presented by this website was issued for a different website's address
That suggests you generated the cert for a different host name than the one you're using in the client. For example, if you generated a cert for "localhost", and try to connect to "my-super-pc-name", you'll get this error.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Kevin Marois wrote:
The security certificate presented by this website was not issued by a trusted certificate authority"
Which is to be expected when you're using a self-signed certificate; it wasn't issued by a trusted certificate authority.
Kevin Marois wrote:
The security certificate presented by this website was issued for a different website's address
That suggests you generated the cert for a different host name than the one you're using in the client. For example, if you generated a cert for "localhost", and try to connect to "my-super-pc-name", you'll get this error.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Well, it seems that I can now access the API on my server from my Dev PC using Postman:
https://marois_dev_1:8091/api/Person/GetPerson?personId=1
This part appears to be resolved. Now, I tried to allow access to the API from OUTSIDE my home network I've opened the port on the firewall and router, but it throws
"An error occurred while sending the request. "
with 2 inner exceptions
Inner Exception 1:
WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.Inner Exception 2:
AuthenticationException: The remote certificate is invalid according to the validation procedure.I'm guessing the self-signed cert won't work for this? [UPDATE] This works, but I'd like to hear your thoughts on all of this [https://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap\](https://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap)
//Trust all certificates
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) => true);If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
-
Well, it seems that I can now access the API on my server from my Dev PC using Postman:
https://marois_dev_1:8091/api/Person/GetPerson?personId=1
This part appears to be resolved. Now, I tried to allow access to the API from OUTSIDE my home network I've opened the port on the firewall and router, but it throws
"An error occurred while sending the request. "
with 2 inner exceptions
Inner Exception 1:
WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.Inner Exception 2:
AuthenticationException: The remote certificate is invalid according to the validation procedure.I'm guessing the self-signed cert won't work for this? [UPDATE] This works, but I'd like to hear your thoughts on all of this [https://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap\](https://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap)
//Trust all certificates
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) => true);If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
The exception from outside is the same as before: a self-signed certificate is not issued by a trusted CA, and won't be trusted by default. The validation callback you've shown will work, but only by turning off all SSL validation. If someone managed to poison the DNS for your external users, they can easily impersonate your service with any certificate, even if it doesn't match the name you've used. You would do better to examine the parameters passed in, and verify that the certificate matches the one you're expecting. But then you would have to update that callback every time your certificate expired and was replaced. Alternatively, you could try to convince your external users to add your certificate to the "trusted" certificate store. But the simplest option is to use a proper domain name, and get a proper certificate. You don't even have to pay for it - so long as your domain can be resolved publicly, you can use Let's Encrypt[^] to get a free cert.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
The exception from outside is the same as before: a self-signed certificate is not issued by a trusted CA, and won't be trusted by default. The validation callback you've shown will work, but only by turning off all SSL validation. If someone managed to poison the DNS for your external users, they can easily impersonate your service with any certificate, even if it doesn't match the name you've used. You would do better to examine the parameters passed in, and verify that the certificate matches the one you're expecting. But then you would have to update that callback every time your certificate expired and was replaced. Alternatively, you could try to convince your external users to add your certificate to the "trusted" certificate store. But the simplest option is to use a proper domain name, and get a proper certificate. You don't even have to pay for it - so long as your domain can be resolved publicly, you can use Let's Encrypt[^] to get a free cert.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Great. Thank you again
If it's not broken, fix it until it is. Everything makes sense in someone's mind. Ya can't fix stupid.
